Nasty New Malware - Anyone seen this one?

TechLarry

TechLarry

RIP [H] Brother - June 1, 2022
Joined
Aug 9, 2005
Messages
30,481
About a week ago a nasty new exploit showed up, and I've not found an effective way to get rid of it.

I believe it's called "Total Secure 2009" (not the BitDefender one).

What's particularly bad about this one is it not only blocks access to just about every anti-spyware and anti-virus site I know of, it also blocks the execution of those programs if you happen to already have them.

So far I can verify it blocks access to the sites for, and the execution of the apps for:

SmitFraudFix
SuperAntiSpyware
MalwareBytes

I've had to re-image every machine with this so far.

Looks like our butt-head in Texas has a few new tricks up his sleeve.

EDIT: Corrected Malware Name
 
BTW... The last users infection with this came from Facebook.
 
Seems to be a new wave of trojans coming out..from what I've read so far, under a new family tree called "MalwarePro"

Where the older ZLob variants were coming under names which sounded very "Microsoft"..like Defender2008 or XPAntivirus2009, etc....variants of this MalwarePro family seem to mimic 3rd party removal tool names. One that I came across was called "Search and Destroy"...some version 5.40 or something, which is not the Spybot Search and Destroy product.
 
Ok, not there yet but making progress.

Downloaded the following from the superantispyware site:

SAS_EXE
RUNSAS.EXE

from http://www.superantispyware.com/supportfaqdisplay.html?faq=71

Download manual def update (the spyware blocks access to the automated method)

http://www.superantispyware.com/definitions.html

Updated using the manual updater, and executed using the special RUNSAS.EXE program.

Scanned system. Removed several very bad sounding viruses :)

Rebooted. The acute Malware was still there.

Downloaded the latest version of SmitFraudFix. Still would not run.

Renamed it to SFF.EXE and executed. It ran and went through the usual SmitFraudFix process.

Rebooted. The Acute infection _appears_ to be gone but Symantec AntiVirus is still reporting a Trojan running from a file called BIT6f.tmp. Repeated deletions result in it coming back at restart.

So, while I'm 90% there, there is still what appears to be a loader on this machine.

I'm running second SAS run, which is clean except for the usual cookie reports at this point.

Will reboot again afterwards. If the SAV report comes back again, I'll have to keep digging.
 
If that file keeps coming back you are missing a hook somewhere. Have you run HJT?


Here's some info for you.

http://www.bleepingcomputer.com/malware-removal/remove-total-secure-2009

I love bleepingcomputer, they castlecops and spywareinfo are my favorite resources for researching malware removal. Castlecops for their databases for looking up stuff in HiJackThis, bleepingcomputer for their removal guids and Spywareinfo for their malware removal training program (aptly named boot camp).

It lists all of the files that it uses, the associated registry keys and the HJT flags for the infection.

All of these sites also have trained malware removal professionals who can tell you what to do to get the system back in working order, I like castlecops and spywareinfo the best. The training (a la bootcamp) is intense and very very hard. They also like to see harder cases because it alerts them to new variants, the makers of SmitFraud, ComboFix and many other specialized programs like this hang out on these forums. If I get a nasty infection I never trust myself to remove it all, most of the time I have but sometimes I have one or two hooks leftover that can allow it to come back or just makes me uncomfortable. Good luck with this, it appears most of the time these forums can talk you through it. If you do a lot of malware removal, maybe you should go through the bootcamp. You will learn A LOT and get some new toys to play with.

EDIT: hmmm spywareinfo seems to be offline.
EDIT2: It is not located at http://www.spywareinfoforum.com/.
 
YeOldeStonecat said:
Seems to be a new wave of trojans coming out..from what I've read so far, under a new family tree called "MalwarePro"

Where the older ZLob variants were coming under names which sounded very "Microsoft"..like Defender2008 or XPAntivirus2009, etc....variants of this MalwarePro family seem to mimic 3rd party removal tool names. One that I came across was called "Search and Destroy"...some version 5.40 or something, which is not the Spybot Search and Destroy product.
Click to expand...

QFT of the infections I've dealt with (Granted I don't do consulting work like you much anymore) of friends/family, it's all been this social-engineering type.
Anti-Virus that claims to be good, that's actually malware is a big one, and I think it'll just get worse.
 
This actually began about a year and a half ago. Spybot was reporting someone was buying up any and all domains they could dealing with Search and Destroy. Then using them to being spreading malware when people searched for SPybot search and destroy. This is more than likely an extension of that, with nastier badies.
 
I hate malware but at least it keeps the lights on. I could probably run a business that all I did was spyware/virus removal.....

This crap is getting a little bit old, though. I've had a ton of XP Anti-Virus 2009 and a some other variants that operated and looked exactly the same but with different names. SuperAntiSpyware from Safe Mode w/o networking and a good CCleaner after disabling System Restore have usually taken care of it.
 
Well, I managed to remove the malware, but unfortunately the Loader, which turned out to be a Rootkit, kicked my ass. 4 hours is about all I can afford to put into one machine so it was punted to the imaging team.

Damn, I hate to lose against these bastards, but time is time.
 
TechLarry said:
Well, I managed to remove the malware, but unfortunately the Loader, which turned out to be a Rootkit, kicked my ass. 4 hours is about all I can afford to put into one machine so it was punted to the imaging team.

Damn, I hate to lose against these bastards, but time is time.
Click to expand...

Don't forget Esets SysInspector utility....
http://www.eset.com/download/sysinspector.php

Great for finding stuff "manually" that regular scanning programs miss. Excellent program...I used it after running several regular scanners. It's like hijack this and autoruns on steroids.
 
Can't for the life of me figure out why y'all fight the reload so hard.

I like the three step program::)

1) Move data
2) Identify
3) Zero and re-image


Step two is just there so the patches stay up-to-date.
I can't tell you how many hours I've saved by just nuking the shit from orbit. (A shitpot... really)
 
Because for many clients...that's a huge undertaking. Many times a small business client has a workstation that has a kajillion different fine tuned settings from many many programs. Often easier to spend a few hours scanning and removing...versus turning it into a day or two project (that will cost the end user well over a thousand bucks)...doing a wipe 'n clean ' n restore.

Magik Smoke said:
Can't for the life of me figure out why y'all fight the reload so hard.

I like the three step program::)

1) Move data
2) Identify
3) Zero and re-image


Step two is just there so the patches stay up-to-date.
I can't tell you how many hours I've saved by just nuking the shit from orbit. (A shitpot... really)
Click to expand...
 
^ bingo.

i haven't seen any spyware that cant be cleaned by

1 - booting into ERD and checking regedit, system32, system, progarm filesdrivers yada yada directors and manually deleting files
2 - booting into safemode running cleanup!, mbam, and ccleaner

should be good then.
 
YeOldeStonecat said:
Because for many clients...that's a huge undertaking. Many times a small business client has a workstation that has a kajillion different fine tuned settings from many many programs. Often easier to spend a few hours scanning and removing...versus turning it into a day or two project (that will cost the end user well over a thousand bucks)...doing a wipe 'n clean ' n restore.
Click to expand...

It takes us roughly 30 minutes to grab data and nuke.

Then again, we have thousands of man hours into Altiris and carefully managed write access, *shrug*

It all goes back to planning versus reacting.
 
Magik Smoke said:
It takes us roughly 30 minutes to grab data and nuke.

Then again, we have thousands of man hours into Altiris and carefully managed write access, *shrug*

It all goes back to planning versus reacting.
Click to expand...

In larger enterprise setups....yeah image deployments are fine, great..."Yay..you have the resources for that!". But to lump everyone into the category of having that luxury is a mistake. Many of us are consultants for SMB...and clients don't have the budget for that luxury. Clients don't always have the software install disks/licensing right at hand either.

The tools out there now are quite effective in removing the infections in a matter of hours. Other work can be done while doing those 30-45 minute back to back scans.
 
Magik Smoke said:
It all goes back to planning versus reacting.
Click to expand...

If you had all user-data stored off to servers, and basically had thin clients, it would be no problem whatsoever.

But many store things locally, simply not an option, at least for SMBs.
 
Malware is getting to be too much of a pain, I can seriously see now a pint in my life where its like the Martial Arts story lines where the master is too old to push out the needed energy to continue fighting.

More back on topic I have created and been using Bart PE for a while and will continue to do so, most times its not for malware but one computer was infected with a very bad version of xp antivirus and it actively looked for attempts to delete it and remove all attempts. I booted into PE and took care of it. Windows PE 2.0 is said to come with vista. I think more and more infections are going to start pusshing us towards offline removel :mad:
 
bigstusexy said:
Malware is getting to be too much of a pain, I can seriously see now a pint in my life where its like the Martial Arts story lines where the master is too old to push out the needed energy to continue fighting.

More back on topic I have created and been using Bart PE for a while and will continue to do so, most times its not for malware but one computer was infected with a very bad version of xp antivirus and it actively looked for attempts to delete it and remove all attempts. I booted into PE and took care of it. Windows PE 2.0 is said to come with vista. I think more and more infections are going to start pusshing us towards offline removel :mad:
Click to expand...

Good timing....yesterday afternoon I came across my first ZLob variant that kicked my arse from removing it onsite at the client...I had to take their PC back with me so we can slave the drive to a rig we have in the office and do the scans.

This was a new variant that came under rogue XP Antivirus 2009 name (several new variants come out each day with this one). So far I have always been able to clean them up with the usual tools.

This variant shut down each tool. I could surf the web fine..but couldn't download removal tools. Installing removal tools from the thumb drive...they would not update, and once I rebooted the PC...these tools were not able to launch..even in safe mode. You could see them in task manager...but no GUI would come up. I reset TCP/Winsock, I even manually added OpenDNS servers, I checked the host files, I eyeballed task manager, I looked in the registry....only entry I found to load part of it had been installed in the win.ini. The only program I could get to run 'n scan was AntiVir...she found only 6 items. Rootkit time I guess...we'll see what happens when we slave this drive 'n scan it.
 
YeOldeStonecat said:
Good timing....yesterday afternoon I came across my first ZLob variant that kicked my arse from removing it onsite at the client...I had to take their PC back with me so we can slave the drive to a rig we have in the office and do the scans.

This was a new variant that came under rogue XP Antivirus 2009 name (several new variants come out each day with this one). So far I have always been able to clean them up with the usual tools.

This variant shut down each tool. I could surf the web fine..but couldn't download removal tools. Installing removal tools from the thumb drive...they would not update, and once I rebooted the PC...these tools were not able to launch..even in safe mode. You could see them in task manager...but no GUI would come up. I reset TCP/Winsock, I even manually added OpenDNS servers, I checked the host files, I eyeballed task manager, I looked in the registry....only entry I found to load part of it had been installed in the win.ini. The only program I could get to run 'n scan was AntiVir...she found only 6 items. Rootkit time I guess...we'll see what happens when we slave this drive 'n scan it.
Click to expand...

I have had this happen as well. If the machine is an XP machine, you can do an OS repair which will allow you to proceed with scanning when finished. Another thing you can do is run SuperAntispyware from the Ultimate Boot CD for Windows.

http://www.ubcd4win.com/
 
what i generally do is boot into ERD, usually the thing attaches itself to Winlogon or the Shell.

I look at that, delete those (remembering file name), go to that location delete the file and all the other files that are malware ish (usually bunch of files created at same time with weird names). Then you can pull the hard drive out run Malware Bytes on a second machine, then safe mode it. run Cleanup!, malware bytes again.

sometimes it takes a while but you usually can do it, sometimes hard on site.
 
I've run across a few that needed various things removed while booted through something else. Trinity Rescue Kit is AWESOME when it comes to this -- mounting your file system, scanning for viruses, it's great*!

*(if you are not afraid of a command line)
 
Wow this new variant is spreading like wildfire....the new XP Antivirus 2009 variant...got slammed with calls today. Pesky rootkit components.
 
I just finished up a machine that was infected. This machine has Kaspersky installed, but it still got through. The attack vector was Limewire... Hopefully they will listen this time when I tell them not to use it...
 
At a doctors home now, cleaning up his PC....he had Avast running on it. This one seems an older variant...MalwareBytes got the majority of it, going with AntiVir now finishing up.

Their son runs lots of P2P for free music. :rolleyes:
 
The new variants are a bitch wow, the antivirus part is easy enough to get rid of but the nasty part is turning out to be a real pain.
 
MorfiusX said:
I have had this happen as well. If the machine is an XP machine, you can do an OS repair which will allow you to proceed with scanning when finished. Another thing you can do is run SuperAntispyware from the Ultimate Boot CD for Windows.

http://www.ubcd4win.com/
Click to expand...

I was going to suggest UBCD4Win also. Forget booting into safe mode - boot a windows environment that doesn't load anything from the hard drive. I know this is what PE does, but the UBCD is a well-packaged batch of utilities that I try to make sure I'm never without.

Another plus - the toolset includes DriveImageXML, so you can image the drive in case the cleanup attempt hoses things, and you can extract individual files from the image, so if you decide to nuke and reload, you can restore any files you need.
 
I defeated this ("Antivirus 2009" variant) from a coworker's computer in the following way:

-NOD32 killed scui.cpl
-I deleted av2009.exe by booting up NTFS4DOS from UBCD
-Anti-Malware took care of the rest

I have no idea how he got it. He's one of the regular office staff, and I have never, ever gotten anything except "I don't know how it got there; it just happened on its own" when I inquire as to how they get viruses down there. Ugh.
 
Danit, I have this right now!!!!! I googled "Fable 2 The Bargain" and clicked one of the links. The next thing I know, my printer started making sounds like it was being activated and my computer restarted. Now, I have an annoying red X in my tray telling me that "windows" has found spyware, it wants me to download something. AVG has been disabled and I can't go to download.com or anywhere to download SpyBot Search and Destroy, it redirects me to some site called Bulls Eye.

:( This is a nasty one. I won't feel safe until I format. I hate to loose all of the anime and stuff that I don't have space to backup. I hate the douches who do this stuff.
 
You don't need to format. There's plenty of information on how to take care of it without doing so. There's enough even in this thread alone.
 
I am going through something similar, started to noticed things iffy when some windows would open themselves. AVG, Ad-Aware and Spybot Search and Destroy none are able to connect to server to update, ad-aware is still ticking mostly because c-net allows you to download a newer version, but won't let you connect to update.

The MS update icon was replaced by an similar but larger looking icon and tells you how you need to install an anti virus, and tries to install some crap. This Virus/spyware/malware is really strong, if you try to go to let's say lavasoft.com (ad-aware) it blocks the site and says it's no good, you try to Google it and when you go to a link it redirects you to some other funky spyware site. Tried to remove one, and stop them at msconfig and it did something, forced my pc to lockdown when the pc booted up, I had to boot from my install cd and repair windows by /fixboot , problem is that it messed up dual boot and only xp boots now.

I am affected by
win32.trojan.agent
antiviruspro2009
cmdservices
virtumonde
hacktool.netmon

Man this stuff is tough to fight off, can't completely fight it off, I think xp3 made a hole in security in XP. I am tempted to switch my Vista partition to 64bit. Going to have to reformat and restart from scratch, this is just hell.

I wish I could hack and fry the mal-ware's creator server (I can't hack), or find them and sue them, even better track them down and wreck their server/pc/workstation with and sledge hammer.

Instead of Net neutrality the government should work on Net security, sites like that antivirus2009 should be taken down and raided by the cia, maybe toss them in Guantanamo summer camp.
 
I see a lot of these types of virus where I work. One thing I have been noticing with computers being infected with (insert name of malware) 2009, it will install a rootkit.

Boot from a windows live cd (ultimate boot cd), search the c:\windows\system32 for tds*.* If you find a bunch of files starting with tds, those usually correlates with the files the rootkit hides. There's one files that is a default windows file, so don't delete that. You can check the file dates to differentiate which one is the rootkit.

Restart in safemode. Use ccleaner to clean up all the crap in the computer and delete any startup items that shouldn't be there. Delete all your system restore files. I've noticed that malware will hide themselves in the system volume information directory so even if you did a restore to previous state, it will somehow reinstall itself. Use sysinternal autoruns software to look at a all the files that will load up on your computer on start. Use common sense when deleting certain entries; if not sure, just uncheck it. After all that, do a virus scan for all files. I've seen nod32 pick up avi's and mp3's as virus before. Last step is important, set your clock back to august 14, 2008 and run combofix.

This is what I normally do whenever I get an infected computer in at work. After the computer restarts, I make sure there's no more malware running before I get on the internet and use eset onlinescan. This so far has worked for me on a majority of computers that come in.
 
nxcess said:
I see a lot of these types of virus where I work. One thing I have been noticing with computers being infected with (insert name of malware) 2009, it will install a rootkit.

Boot from a windows live cd (ultimate boot cd), search the c:\windows\system32 for tds*.* If you find a bunch of files starting with tds, those usually correlates with the files the rootkit hides. There's one files that is a default windows file, so don't delete that. You can check the file dates to differentiate which one is the rootkit.
Click to expand...

The rootkits initial files are placed in the system32\dllcache hidden folder, as well as (some variants) being launched from the win.ini file. A default location for windows file protection backup .dll files..so many files in there are legit system files.

I've seen a few PCs with tds* files...but these new xpav2k9 rogues are coming out with several variants per day, there are many more oddball file names. Yes..ZLob writers are releasing as many as 3,4,5 or more new variants each day to stay ahead of the antivirus/antimalware programs.

I pretty much stay away from home computers, barely have to work on a business clients home computer a few times a year. But for the past 2 weeks...have had over a dozen come for help. The activity of this rogue AV product has skyrocketed like mad lately.
 
these virus threads remind me of this comic :D


virus.jpg
 
anyone have trouble with Antivirus360?!?

getting this one off a machine today.... silly little program fakes a BSOD and Fakes a reboot too.

I removed the Program, but can't find the registry nodes for it....

Note: CCleaner didn't find it and neither did AVG....
 
Download Avenger

For all the fake anti-virus malware-> start avenger

input script here:

Drivers to delete:
TDSSserv.sys

run. check for rootkit box checked.
you should be able to run mbam
 
You must log in or register to reply here.
Back
Top